Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
token-exchange
Describe the bug
Im trying to exchange an oauth token with a keycloak access token, to gain access to my site. Followed all the instructions from the guide, enabled --features=preview,admin-fine-grained-authz, made all the policies and attached to the correct identity provider (whcih is working otherwise), and have toggled on the permissions for the client and idp.
Getting a token not valid at the end, since keycloak is not able to fetch user info gives this error
keycloak | 2025-03-16 22:01:47,122 WARN [org.keycloak.events] (executor-thread-8) type="TOKEN_EXCHANGE_ERROR", realmId="931a93f0-4b89-4cdb-98eb-a1b5520554f2", realmName="Niti", clientId="web-ambri", userId="null", ipAddress="172.19.0.1", error="invalid_token", reason="user info call failure", auth_method="token_exchange", grant_type="urn:ietf:params:oauth:grant-type:token-exchange", subject_issuer="google", validation_method="user info", client_auth_method="client-secret"
If I try and disable the user-info service and put the trust email flag on, it still doesnt return me the access token and returns this error.
2025-03-16 22:01:47,122 WARN [org.keycloak.events] (executor-thread-8) type="TOKEN_EXCHANGE_ERROR", realmId="931a93f0-4b89-4cdb-98eb-a1b5520554f2", realmName="Niti", clientId="web-ambri", userId="null", ipAddress="172.19.0.1", error="invalid_token", reason="user info call failure", auth_method="token_exchange", grant_type="urn:ietf:params:oauth:grant-type:token-exchange", subject_issuer="google", validation_method="user info", client_auth_method="client-secret"
I ahve made sure my token is valid by calling the google api to fetch info and have been able to from postman.
I'm running keycloak inside docker.
Version
26.1.4
Regression
- The issue is a regression
Expected behavior
Token exchange would work correctly and return me the access token.
Actual behavior
Leading to errors since keycloak is not able to return the userinfo for the user by hitting the google apis.
keycloak | 2025-03-16 22:01:47,122 WARN [org.keycloak.events] (executor-thread-8) type="TOKEN_EXCHANGE_ERROR", realmId="931a93f0-4b89-4cdb-98eb-a1b5520554f2", realmName="Niti", clientId="web-ambri", userId="null", ipAddress="172.19.0.1", error="invalid_token", reason="user info call failure", auth_method="token_exchange", grant_type="urn:ietf:params:oauth:grant-type:token-exchange", subject_issuer="google", validation_method="user info", client_auth_method="client-secret"
If userinfo is toggled off in idp and trust email is not turned on, gives this error
keycloak | 2025-03-16 21:59:20,546 WARN [org.keycloak.events] (executor-thread-1) type="TOKEN_EXCHANGE_ERROR", realmId="931a93f0-4b89-4cdb-98eb-a1b5520554f2", realmName="Niti", clientId="web-ambri", userId="null", ipAddress="172.19.0.1", error="invalid_token", reason="user info service disabled", auth_method="token_exchange", grant_type="urn:ietf:params:oauth:grant-type:token-exchange", subject_issuer="google", validation_method="user info", client_auth_method="client-secret"
Tested I was using valid token by hitting this
curl --location 'https://oauth2.googleapis.com/tokeninfo?id_token={GOOGLE_ID_TOKEN}'
Not sure what to do here.
How to Reproduce?
- Add a google identity provider
- Follow the token-exchange guide fully
- Try exchanging the oauth token and get an access token
Anything else?
No response